Cybersecurity is a shared responsibility. Stop. Think. Connect.

Sun Tzu – The Art of War

‘In cyber space, computers are attacked from the moment they connect to the Internet’ – Ed Skoudis, Counter Hack Reloaded.

As I am studying for my next Certificate, the SANS GCIH, I am drawn back to the memories of my summer vacations with my grandfather in Hawaii. Every summer began by reading a book of his choosing, and when I arrived in Oahu, we would spend the next six weeks discussing it while going on the greatest adventures.

The last summer I spent with him our discussion focused on Sun Tzu’s Art of War 孫子兵法. My grandfather would say that ‘life is challenging, its distractions will pull you in a million directions. In order to succeed, you need to apply a filter that takes all the chaos and puts it into perspective. Rather than seeing problems you now see opportunities.’ – Sean Maximus Murphy

The Art of War has survived for 2,500 years because its advice is not only persuasive, but concise, easy to grasp, and malleable. The Art of War is a series of recommendations that can be continuously adapted to a diverse set of circumstances. At its core, The Art of War is about human nature, and more importantly, how it can be exploited.

This post will explore how the Art of War principals and stratagems can apply directly to the modern world of Cyber Security.

Sun Tzu’s The Art of War begins with a forewarning: ‘The Art of War is a matter of life and death, a road either to safety or to ruin. Hence it is a subject of inquiry which can on no account be neglected.’― Sun Tzu, The Art of War

Sun Tzu stresses throughout his treatise; ‘Know thy enemy. A thousand battles, a thousand victories.’ ― Sun Tzu, The Art of War

So who is this enemy?

Professional criminals are well funded ‘businessmen’ who have adopted ‘corporate best practices’ establishing professional business models that outsource cybercrime called Crime-as-a-Service (CaaS). It is a distributed system where anyone with an agenda can simply rent, lease or purchase an ‘‘As-A-Service’, services and ‘cash in’ on their crimes.

An advanced persistent threat (APT) is an attack campaign carried out by a team of highly sophisticated cyber criminals with substantial financial backing.

The APT’s intent is to establish an unlawful, long-term presence on a network harvesting intellectual property and/or sensitive data usually by installing malware downloaded by advanced social engineering techniques such as Whaling campaigns.

Insider Threats are employees who have access to the organization’s network and are able to misappropriate data, use data exfiltration or destroy/alter the data. More often than not they are able to use legitimate credentials and permissions in order to access the data, consequently evading detection.

56% of security professionals say insider threats have become more frequent in the last 12 months.

60% privileged users, such as managers with access to sensitive information, pose the biggest insider threat to organizations followed by 57% third parties and 51% of regular employees.

More than 75% of organizations estimate insider breach remediation costs could reach $500,000 while 25% believe the cost exceeds $500,000 and can reach in the millions.

Hacktivists are motivated by personal, political, religious or other beliefs, and they are intent on causing destruction and disruption including

Data theft

Reputational Damage (Release of emails/confidential information)

Distributed Denial of Service Attacks (DDoS)

Defacing websites

Nation States Bad-Actors who are preparing for

Cyber-war

Utilizing malware in order to disrupt or disable key infrastructures including power grids, water treatment plants, and nuclear power plants.

Network Infiltration

Launching distributed denial of service attacks (DDoS) in order to shut down access to government websites, emergency systems, and transportation systems.

Espionage

Collecting information for leverage such as blackmail.

‘Just As Water Retains No Constant Shape, In Warfare There Are No Constant Conditions’― Sun Tzu, The Art of War

Cyber criminals are ruthless in their pursuit of finding a weakness they can exploit via rootkits, keyloggers, RATs, botnet attacks and countless other attack types and vectors. If successful, they will go back and collect their treasures that can be readily bought or sold on the Darknet including credit card numbers, social security numbers, bank account data and intellectual property. Worse yet, take control of your system to be used in a botnet in order to carry out future attacks on other systems.

Organizations can no longer remain the slow moving dinosaurs of the past using the excuse ‘we have always done it this way.’ Organizations need to be consistently evolving and adapting by upgrading systems, introducing new technologies and/or changing business models. The goal of securing your network is an ongoing, never-ending task; Organizations should be utilizing a best practice framework for IT, such as COBIT 5.

‘You can be sure of succeeding in your attacks if you only attack places which are undefended.’ ― Sun Tzu, The Art of War

In 2017; your network is constantly under attack. The typical system will be attacked hundreds if not thousands of times in a given day. However, cyber criminals are lazy and will always ‘attack a weakness,’ over a stronghold. Employees, weak passwords, unhardened, and unpatched systems are their favorite ‘go-to’s.’

Employees are targets

Your employees are the principal targets for cyber criminals to gain access to your organization’s resources with Phishing attacks being the most common means by which breaches occur.

Weak passwords are a vulnerability

‘Weak’ passwords may be the difference between a future breach and the security of your organization’s data.

Organizations control access to their data and systems through ‘authentication,’ i.e., ‘the extension of trust’ based on a form of furnished proof of identity, that proof is more often than not a password.

Educate employees on why using strong passwords is essential, not a hassle.

A strong password should be at least eight characters and should include uppercase, lowercase, and special characters – like @#?%^&*.

Adding just one capital letter, and one special character changes the processing time for a cyber criminal to crack an eight character password from 2.4 days to 2.10 centuries. Think about that!

‘Out of the Box’ is not secure

The majority of individuals want ease of use in their devices. However, ‘out of the box’ or default configuration settings are far from secure and are easily ‘hacked.’ Default accounts and passwords need to be changed, and unnecessary services should be removed.

Patch Everything

Organizations can significantly reduce their cyber-risk by running the latest software and applications on all devices.

‘The whole secret lies in confusing the enemy so that he cannot fathom our real intent.’ ― Sun Tzu, The Art of War

When data becomes compromised, the consequences can be devastating. High-profile data breaches and ransomware attacks are increasing daily. Critical data should be encrypted both at rest and in transit.

Simply, data is always either in transit, moving via applications, email, through website connections and browsers; While at rest, it is stored in databases, the cloud, hard drives, and mobile devices.

Organizations that manage information have an obligation to protect it.

In the case of sensitive/confidential information, it is the law.

Encryption, using the science of cryptography, jumbles plain text into an unreadable cipher text using an algorithm that is irreversible without the decryption key.

At a minimum

Mobil devices should have their hard drives encrypted, thus reducing the risk of information exposure if the device is lost or stolen.

Servers, databases, backup media and all files containing sensitive/confidential information should be encrypted.

Encrypt data that is synced with the cloud.

All employees especially contractors and third-parties, that access resources remotely should do so through a Virtual Private Network (VPN).

Backup, Backup, Backup

This principle can not be stressed enough. Backup your data people.

There are two kinds of organizations: those who have lost critical data as the result of not backing up their data, and those who will.

Backing up your data can literally be the only thing that ensures that your organization is able to continue to operate if critical data has been appropriated, corrupted, or held hostage by ransomware.

The threat is defused if you have a physical copy, a second copy off-site and a third in the cloud.

Social Engineering is the ‘art of deception on the grandest of scales,’ and your employees are the weakest link in the chain. Cyber criminals prefer social engineering because ‘it is much easier to hack a human than a secured network.’ Social engineering attacks are a choreographed strategy against many employees, i.e., Phishing or a high valued target, i.e., Whaling.

However, social engineers also use an assortment of in-person or over the phone techniques to steal data, identities, credentials, money and/or infect a computer with viruses, keyloggers, trojans, and spyware.

In recent years, social engineering has been the primary cause of many high profile cyber-attacks. The impacts can be staggering including

OPSEC emboldens organizations to view operations from the perspective of an outsider (i.e., competitor or cyber criminal) in order to identify vulnerabilities.

If an organization is able to remove their data while impersonatingan outsider, the odds are high that cyber criminals can too.

OPSEC consists of a five step process

Identify the Critical Information

Determine the Threats

Analyze the Vulnerabilities

Assess the Risks

Apply Applicable Countermeasures

‘Rouse him, and learn the principle of his activity or inactivity. Force him to reveal himself, so as to find out his vulnerable spots.’ ― Sun Tzu, The Art of War

There is no ‘Silver Bullet’for cybersecurity. The only way to know that you have taken reasonable safeguards is to monitor and test them.

Real-Time Systems Monitoring

Monitoring systems in real-time for any unusual activity or suspicious behavior that could indicate a breach is in progress. This can alert security teams to shut down any access before criminals can do significant damage.

Your systems’ security logs are your friend

Log monitoring is a best practice and a crucial part of performing due diligence.

Testing detects vulnerabilities within web applications that are accessible from both inside and outside the organization and indicates what needs to be corrected.

Penetration Testing (Pen Testing)

Pen testing captures a picture of the current security posture and identifies potential security breach points. Moreover, it tests the effectiveness of existing security processes and ensures that configuration management has been followed through on assiduously.

Employee Awareness

Test your employee’s knowledge from the C-Suite to the mailroom.

Engage your IT department or hire an outside firm to run Phishing campaigns, Phone-based and In-person Social Engineering tests.

The phishing tests will determine how likely your employees are to click on a malicious link.

Phone based/In-person tests will demonstrate how much confidential data was able to be extracted from your employees.

It ‘is not if but when’ your network will be attacked. Security teams and management should capitalize on the experience as an opportunity to learn. The more security teams can learn, the more effective they can become. Incorporate the intelligence that was learned from previous security incident(s) into the company’s overall security strategy and make practical and efficient use of it in order to make better-informed decisions.

‘Do not repeat the tactics which have gained you one victory, but let your methods be regulated by the infinite variety of circumstances.’ ― Sun Tzu, The Art of War

So far in 2017 (as of 6/30/2017), there have been over 790 security breaches with more than 12,389,462 records exposed. Cyber criminals are not static; they exist in a state of flux. Altering methods, strategies and exploit tools. When it comes to defeating this elusive enemy, organizations must move from a position of defense-waiting for a cyber criminal to breach their network, to one of offense-controlling the cyber criminals actions and denying them the wherewithal to call the shots.

In conclusion, Cyber criminals are increasingly harder to trace and even harder to remediate. They are creative collaborators, sharing successful techniques and progressively more dangerous malware. They are stealthier, using multiple vectors and entry points in order to navigate around network defenses and breach them; not to mention remaining hidden in our systems longer, thus becoming more costly for organizations. Business continuity is crucial for the success of any organization. Insecure systems are detrimental. Follow the teachings of Sun Tzu. ‘Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win’― Sun Tzu, The Art of War

Search

Search for:

Text Widget

This is a text widget, which allows you to add text or HTML to your sidebar. You can use them to display text, links, images, HTML, or a combination of these. Edit them in the Widget section of the Customizer.